Monzo staff had access to 480,000 user PINs for six months

UK challenger bank Monzo told nearly half a million users to change their PINs after a security error.

On Monday (5 August), UK challenger bank Monzo published a blogpost that advised customers to change their PINs following a security slip-up.

The fintech company said that on Friday (2 August), it discovered that some PINs had been stored in part of the company’s internal system that employees had access to for around six months. Monzo said that this affected “less than a fifth” of its 2.6m customers, or around 480,000 users in the UK.

Wired detailed how a portion of the PINs were stored in encrypted file logs that were accessible to “rank-and-file” employees.

The PINs that were stored affected customers who had used two particular Monzo services: receiving a reminder of their card number or cancelling a standing order. Only one in five customers had used one or both of these services, which led to their PIN being stored improperly.

Monzo, which is now valued at £2bn, said: “As soon as we discovered the bug, we immediately made changes to make sure the information wasn’t accessible to anyone in Monzo.

“By 5.25am on Saturday morning, we had released updates to the Monzo apps. Over the weekend, we then worked to delete the information that we’d stored incorrectly, which we finished on Monday morning.”

Security concerns

The company said that it has examined all of the affected accounts thoroughly, to confirm that the information was not used to commit fraud. As a precaution, Monzo messaged every affected user, encouraging them to visit an ATM where they can change their PIN.

“This issue affected less than a fifth of UK Monzo customers,” the company explained. “If we haven’t emailed you, you haven’t been affected. But you should still update your app to the latest version.”

Marios Kyriacou, founder of cybersecurity consultancy The Security Bureau, told Wired: “At this point, we don’t know what ‘encrypted’ means. Given that PINs are made up of four digits, it wouldn’t be difficult to decrypt these and find out what the real PINs were.”

Kyriacou estimated that 110 engineers would have had access to this particular data, which raised further concerns for him regarding Monzo’s security procedures.

Later on Monday afternoon, after making the security issue public, Monzo announced that it would be releasing its own metal card to customers who want to avail of a premium service, similar to competitors Revolut and Curve.